Protecting a VPN With IPsec

IPsec tunnels can protect a VPN. In the Solaris 10 7/07 release,
a tunnel can be in tunnel mode or transport mode. Tunnel mode is
interoperable with the implementation of IPsec by other vendors. Transport
mode is interoperable with earlier versions of the Solaris OS. For
a discussion of tunnel modes, see Transport and Tunnel Modes in IPsec.

Tunnels in tunnel mode offer more fine-grained
control of the traffic. In tunnel mode, for an inner IP address, you can specify
the particular protection you want, down to a single port.

Examples of Protecting a VPN With IPsec
by Using Tunnels in Tunnel Mode

Figure 20–1 IPsec Tunnel Diagram

The following examples assume that the tunnel is configured for all
subnets of the LANs:

## Tunnel configuration ##
# Tunnel name is ip.tun0
# Intranet point for the source is 10.1.2.1
# Intranet point for the destination is 10.2.3.1
# Tunnel source is 192.168.1.10
# Tunnel destination is 192.168.2.10

Example 20–6 Creating a Tunnel That All Subnets Can
Use

In this example, all traffic from the local
LANs of the Central LAN in Figure 20–1 can be tunneled through Router 1 to Router 2, and then delivered
to all local LANs of the Overseas LAN. The traffic is encrypted with AES.

Example 20–7 Creating a Tunnel That Connects Two
Subnets Only

In this example, only traffic between subnet 10.1.2.0/24 of
the Central LAN and subnet 10.2.3.0/24 of the Overseas
LAN is tunneled and encrypted. In the absence of other IPsec policies for
Central, if the Central LAN attempts to route any traffic for other LANs over
this tunnel, the traffic is dropped at Router 1.

Example 20–8 Creating a Tunnel for Email Traffic
Only Between Two Subnets

In this example, a tunnel is created for email traffic only. The traffic
is delivered from subnet 10.1.2.0/24 of the Central LAN
to the email server on the 10.2.3.0/24 subnet of the Overseas
LAN. The email is encrypted with Blowfish. The policies apply to the remote
and local email ports. The rport policy protects email
that Central sends to the remote email port of Overseas. The lport policy
protects email that Central receives from Overseas on local port 25.